diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml deleted file mode 100644 index 8be4aa5..0000000 --- a/.github/FUNDING.yml +++ /dev/null @@ -1,12 +0,0 @@ -# These are supported funding model platforms - -github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] -patreon: # Replace with a single Patreon username -open_collective: # Replace with a single Open Collective username -ko_fi: # Replace with a single Ko-fi username -tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel -community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry -liberapay: # Replace with a single Liberapay username -issuehunt: # Replace with a single IssueHunt username -otechie: # Replace with a single Otechie username -custom: ['https://www.buymeacoffee.com/shenxn'] diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index defc7de..dbaa1ba 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -2,6 +2,7 @@ name: build from source on: push: + branches: [master] paths: - .github/workflows/build.yaml - build/* @@ -13,105 +14,21 @@ on: workflow_dispatch: env: - GHCR_REPO: shenxn/protonmail-bridge-docker - DOCKERHUB_REPO: shenxn/protonmail-bridge - DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge - PLATFORMS: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/riscv64 + GHCR_REPO: ghcr.io/${{ github.repository_owner }}/protonmail-bridge jobs: - test: - runs-on: ubuntu-latest - if: github.ref != 'refs/heads/master' - steps: - - name: Checkout - uses: actions/checkout@master - - - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.DOCKER_REPO_DEV }} - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: network=host - - - name: Build and push by digest - id: build - uses: docker/build-push-action@v6 - with: - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,"name=${{ env.DOCKER_REPO_DEV }}",push-by-digest=false,name-canonical=true,push=true - context: ./build - file: ./build/Dockerfile - tags: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}" - build-args: | - version=${{ env.version }} - - - name: Run Trivy vulnerability scan - uses: aquasecurity/trivy-action@0.30.0 - with: - image-ref: "${{ env.DOCKER_REPO_DEV }}:dev-${{ github.ref_name }}" - format: 'sarif' - exit-code: 0 - severity: 'CRITICAL,HIGH' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan SARIF report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' - build: runs-on: ubuntu-latest - if: github.event_name == 'push' && github.ref == 'refs/heads/master' - strategy: - fail-fast: false - matrix: - platform: - - linux/amd64 - - linux/arm64/v8 - - linux/arm/v7 - - linux/riscv64 + permissions: + contents: read + packages: write + security-events: write steps: - name: Checkout - uses: actions/checkout@master - - - name: Prepare - run: | - platform=${{ matrix.platform }} - echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV + uses: actions/checkout@v4 - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.DOCKERHUB_REPO }} - ${{ env.GHCR_REPO }} - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} + run: echo "version=$(cat VERSION)" >> $GITHUB_ENV - name: Login to GHCR uses: docker/login-action@v3 @@ -120,113 +37,43 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - - name: Build and push by digest - id: build + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.GHCR_REPO }} + tags: | + type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }} + type=raw,value=${{ env.version }} + + - name: Build and push uses: docker/build-push-action@v6 with: - platforms: ${{ matrix.platform }} - labels: ${{ steps.meta.outputs.labels }} - outputs: type=image,"name=name=${{ env.DOCKERHUB_REPO }},${{ env.GHCR_REPO }}",push-by-digest=true,name-canonical=true,push=false context: ./build file: ./build/Dockerfile - tags: | - "${{ env.DOCKERHUB_REPO }}:build" - "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build" - "${{ env.GHCR_REPO }}:build" - "${{ env.GHCR_REPO }}:${{ env.version }}-build" - provenance: false - sbom: false + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} build-args: | version=${{ env.version }} - - - name: Export digest - run: | - mkdir -p ${{ runner.temp }}/digests - digest="${{ steps.build.outputs.digest }}" - touch "${{ runner.temp }}/digests/${digest#sha256:}" - - - name: Upload digest - uses: actions/upload-artifact@v4 - with: - name: digests-${{ env.PLATFORM_PAIR }} - path: ${{ runner.temp }}/digests/* - if-no-files-found: error - retention-days: 1 - - - merge: - runs-on: ubuntu-latest - needs: - - build - steps: - - name: Download digests - uses: actions/download-artifact@v4 - with: - path: ${{ runner.temp }}/digests - pattern: digests-* - merge-multiple: true - - - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - driver-opts: network=host - - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ${{ env.DOCKERHUB_REPO }} - ${{ env.GHCR_REPO }} - tags: | - type=raw,enable=true,value=${{ env.version }}-build - type=raw,enable=true,suffix=,value=build - - - name: Create manifest list and push - working-directory: ${{ runner.temp }}/digests - run: | - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.DOCKERHUB_REPO }}@sha256:%s ' *) - docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ - $(printf '${{ env.GHCR_REPO }}@sha256:%s ' *) + cache-from: type=gha + cache-to: type=gha,mode=max - name: Run Trivy vulnerability scan + if: github.event_name != 'pull_request' uses: aquasecurity/trivy-action@0.30.0 with: - image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build" - format: 'sarif' + image-ref: "${{ env.GHCR_REPO }}:${{ env.version }}" + format: sarif exit-code: 0 - severity: 'CRITICAL,HIGH' - output: 'trivy-results.sarif' + severity: CRITICAL,HIGH + output: trivy-results.sarif + - name: Upload Trivy scan SARIF report + if: github.event_name != 'pull_request' uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' - - - name: Inspect image - run: | - docker buildx imagetools inspect ${{ env.DOCKERHUB_REPO }}:${{ steps.meta.outputs.version }} - docker buildx imagetools inspect ${{ env.GHCR_REPO }}:${{ steps.meta.outputs.version }} + sarif_file: trivy-results.sarif diff --git a/.github/workflows/deb.yaml b/.github/workflows/deb.yaml deleted file mode 100644 index ddf4c99..0000000 --- a/.github/workflows/deb.yaml +++ /dev/null @@ -1,79 +0,0 @@ -name: pack from deb - -on: - push: - paths: - - .github/workflows/deb.yaml - - deb/* - - VERSION - pull_request: - paths: - - .github/workflows/deb.yaml - - deb/* - workflow_dispatch: - -env: - DOCKER_REPO: shenxn/protonmail-bridge - DOCKER_REPO_DEV: ghcr.io/shenxn/protonmail-bridge-dev - -jobs: - deb: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@master - - name: Set version - id: version - run: echo "version=`cat VERSION`" >> $GITHUB_ENV - - name: Set repo - id: repo - run: if [[ $GITHUB_REF == "refs/heads/master" ]]; then echo "::set-output name=repo::${DOCKER_REPO}"; else echo "::set-output name=repo::${DOCKER_REPO_DEV}"; fi - - name: Docker meta - id: docker_meta - uses: crazy-max/ghaction-docker-meta@v1 - with: - images: ${{ steps.repo.outputs.repo }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - name: Build image without push - uses: docker/build-push-action@v2 - with: - context: ./deb - file: ./deb/Dockerfile - load: true - tags: protonmail-bridge:latest - - name: Scan image - id: scan - uses: anchore/scan-action@v2 - with: - image: protonmail-bridge:latest - fail-build: true - severity-cutoff: critical - acs-report-enable: true - - name: Upload Anchore scan SARIF report - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} - - name: Login to DockerHub - uses: docker/login-action@v1 - if: ${{ github.event_name != 'pull_request' }} - with: - username: ${{ secrets.REGISTRY_USERNAME }} - password: ${{ secrets.REGISTRY_PASSWORD }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v1 - if: ${{ github.event_name != 'pull_request' }} - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.CR_PAT }} - - name: Push image - uses: docker/build-push-action@v2 - with: - context: ./deb - file: ./deb/Dockerfile - tags: | - ${{ steps.repo.outputs.repo }}:latest - ${{ steps.repo.outputs.repo }}:${{ env.version }} - labels: ${{ steps.docker_meta.outputs.labels }} - push: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/mirror.yaml b/.github/workflows/mirror.yaml deleted file mode 100644 index 4e2409b..0000000 --- a/.github/workflows/mirror.yaml +++ /dev/null @@ -1,27 +0,0 @@ -name: Mirroring - -# yamllint disable-line rule:truthy -on: - push: - branches: - - master - - dev - -jobs: - mirror_gitee: - name: Mirror to Gitee - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 0 - - name: Push to Gitee - env: - SSH_KEY: ${{ secrets.GITEE_KEY }} - run: | - mkdir -p ~/.ssh - echo "${SSH_KEY}" > ~/.ssh/id_rsa - chmod 600 ~/.ssh/id_rsa - export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=no -l git" - git remote add gitee git@gitee.com:shenxn/protonmail-bridge-docker.git - git push --tags --force --prune gitee "refs/remotes/origin/*:refs/heads/*" diff --git a/.github/workflows/update-check.yaml b/.github/workflows/update-check.yaml index 0c46ab4..02a070b 100644 --- a/.github/workflows/update-check.yaml +++ b/.github/workflows/update-check.yaml @@ -1,24 +1,19 @@ name: update check on: - push: - paths: - - .github/workflows/update-check.yaml - - update-check.py - pull_request: - paths: - - .github/workflows/update-check.yaml - - update-check.py schedule: - - cron: '0 0 * * *' # runs everyday at midnight + - cron: "0 0 * * *" + workflow_dispatch: + +permissions: + contents: write jobs: check: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@master - with: - token: ${{ secrets.PERSONAL_TOKEN }} - - name: Check Update - run: python3 update-check.py ${{ github.event_name == 'pull_request' }} + - name: Checkout + uses: actions/checkout@v4 + + - name: Check for update + run: python3 update-check.py diff --git a/deb/Dockerfile b/deb/Dockerfile deleted file mode 100644 index a0d8e2c..0000000 --- a/deb/Dockerfile +++ /dev/null @@ -1,28 +0,0 @@ -### The Deb install is just a repack of the official ProtonMail Bridge deb package with less dependencies. -### I recommend you don't use this. It's here for legacy reasons. - -FROM debian:sid-slim AS build - -COPY install.sh PACKAGE / -RUN apt-get update && apt-get install -y wget binutils - -# Repack deb (removes unnecessary dependencies and produces /protonmail.deb) -RUN bash /install.sh - -FROM debian:sid-slim -LABEL maintainer="Simon Felding " - -EXPOSE 25/tcp -EXPOSE 143/tcp - -WORKDIR /protonmail - -# Copy bash scripts -COPY gpgparams entrypoint.sh PACKAGE /protonmail/ -COPY --from=build /protonmail.deb /tmp/protonmail.deb - -RUN apt-get update \ - && apt-get install -y --no-install-recommends /tmp/protonmail.deb socat pass libsecret-1-0 ca-certificates procps \ - && rm -rf /var/lib/apt/lists/* - -CMD ["bash", "/protonmail/entrypoint.sh"] diff --git a/deb/PACKAGE b/deb/PACKAGE deleted file mode 100644 index 6d4eacd..0000000 --- a/deb/PACKAGE +++ /dev/null @@ -1 +0,0 @@ -https://github.com/ProtonMail/proton-bridge/releases/download/v3.22.0/protonmail-bridge_3.22.0-1_amd64.deb \ No newline at end of file diff --git a/deb/entrypoint.sh b/deb/entrypoint.sh deleted file mode 100644 index 13637e5..0000000 --- a/deb/entrypoint.sh +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -set -ex - -# Initialize -if [[ $1 == init ]]; then - - # # Parse parameters - # TFP="" # Default empty two factor passcode - # shift # skip `init` - # while [[ $# -gt 0 ]]; do - # key="$1" - # case $key in - # -u|--username) - # USERNAME="$2" - # ;; - # -p|--password) - # PASSWORD="$2" - # ;; - # -t|--twofactor) - # TWOFACTOR="$2" - # ;; - # esac - # shift - # shift - # done - - # Initialize pass - gpg --generate-key --batch /protonmail/gpgparams - pass init pass-key - - # Login - protonmail-bridge --cli - -else - - # socat will make the conn appear to come from 127.0.0.1 - # ProtonMail Bridge currently expects that. - # It also allows us to bind to the real ports :) - socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 & - socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 & - - # Start protonmail - # Fake a terminal, so it does not quit because of EOF... - rm -f faketty - mkfifo faketty - cat faketty | protonmail-bridge --cli - -fi diff --git a/deb/gpgparams b/deb/gpgparams deleted file mode 100644 index 355568e..0000000 --- a/deb/gpgparams +++ /dev/null @@ -1,8 +0,0 @@ -%no-protection -%echo Generating a basic OpenPGP key -Key-Type: RSA -Key-Length: 2048 -Name-Real: pass-key -Expire-Date: 0 -%commit -%echo done diff --git a/deb/install.sh b/deb/install.sh deleted file mode 100644 index 9593725..0000000 --- a/deb/install.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash -set -ex - -# Repack deb (remove unnecessary dependencies) -mkdir deb -wget -i /PACKAGE -O /deb/protonmail.deb -cd deb -ar x -v protonmail.deb -mkdir control -tar zxvf control.tar.gz -C control -sed -i "s/^Depends: .*$/Depends: libgl1, libc6, libsecret-1-0, libstdc++6, libgcc1/" control/control -cd control -tar zcvf ../control.tar.gz . -cd ../ - -ar rcs -v /protonmail.deb debian-binary control.tar.gz data.tar.gz diff --git a/update-check.py b/update-check.py index 19666d6..13e29b6 100644 --- a/update-check.py +++ b/update-check.py @@ -3,34 +3,24 @@ import requests, os, sys def git(command): return os.system(f"git {command}") - release = requests.get("https://api.github.com/repos/protonmail/proton-bridge/releases/latest").json() version = release['tag_name'] -deb = [asset for asset in release ['assets'] if asset['name'].endswith('.deb')][0]['browser_download_url'] print(f"Latest release is: {version}") with open("VERSION", 'w') as f: f.write(version) -with open("deb/PACKAGE", 'w') as f: - f.write(deb) - git("config --local user.name 'GitHub Actions'") git("config --local user.email 'actions@github.com'") git("add -A") -if git("diff --cached --quiet") == 0: # Returns 0 if there are no changes +if git("diff --cached --quiet") == 0: print("Version didn't change") exit(0) git(f"commit -m 'Bump version to {version}'") -is_pull_request = sys.argv[1] == "true" - -if is_pull_request: - print("This is a pull request, skipping push step.") - exit(0) if git("push") != 0: print("Git push failed!")